[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: F9: How to remove a permanent SSL user/client certificate?



Craig White wrote:
On Fri, 2009-05-08 at 17:44 -0700, Daniel B. Thurman wrote:
Sorry, I have looked on the Internet and have not
figured out how to get rid of a permanent client/user
certificate.  I am testing my Apache/SVN/SSL with
a self-signed certificate and choose the permanent
option, and I'd like to remove it for further testing.
----
remove from what?

from server, you have a crl (certificate revocation list)

from client, depends how/where you installed it

Craig
I was trying to setup and test my Apache/SVN/SSL setup, and
I have for /etc/httpd/conf.d/subversion.conf:

<VirtualHost 127.0.0.1:80>
   ServerName gold.cdkkt.com
   Redirect / https://gold.cdkkt.com/
</VirtualHost>
<VirtualHost gold.cdkkt.com:443>
   #<Directory "/svn/svn">
   #  Order allow,deny
   #  Allow from 127.0.0 10.0.0
   #</Directory>
   ServerName  gold.cdkkt.com
   ServerAdmin admin cdkkt com
   CustomLog /svn/svn/Admin/logs/access.log combined
   ErrorLog  /svn/svn/Admin/logs/error.log
   SSLEngine on
   SSLCertificateFile    /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   <Location /svn>
      AuthName "Subversion Repository"
      DAV svn
      SVNParentPath      /svn/svn
      AuthUserFile       /svn/svn/Admin/apache/auth
      AuthzSVNAccessFile /svn/svn/Admin/apache/authz
      #<LimitExcept GET PROPFIND OPTIONS REPORT>
      #    Order deny,allow
      #    Deny from all
      #    allow from 127.0.0 10.1.0.0/24
#</LimitExcept> AuthType Basic
      Require valid-user
      #Satisfy any
   </Location>
</VirtualHost>

And while I was testing, on the command line such as:
# svn list https://gold.cdkkt.com/svn/svn1

I was prompted to choose Reject, Temporary, or Permanent
and I choose "p", and it moved on to asking for an SVN password,
accepting it, and I got my SVN repository list.
==============================================
$ svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
  fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 19:41:42 GMT
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
(R)eject, accept (t)emporarily or accept (p)ermanently? p
Authentication realm: <https://gold.cdkkt.com:443> Subversion Repository @ Gold.cdkkt.com
Password for 'dant':
branches/
tags/
trunk/
==============================================

The next time I ran this above command line again, I somehow
got an error:
===============================================
$svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
  fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019 19:41:42 GMT
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
(R)eject, accept (t)emporarily or accept (p)ermanently? p
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 403 Forbidden (https://gold.cdkkt.com)
===============================================

I am trying to understand what is going on: (1) why am I still getting
prompted to choose the certificate (I thought is was permanent),
and (2) no longer asked for the SVN password.  It is quite possible
for (2), I screwed up the subversion.conf settings but can't quite
find the problem.

What is odd is, that if I uncomment `#Satisfy any' line, run the same
exact command as above, I  don't get asked to verify the certs, don't
get requested for the SVN password, and immediately get the the
SVN listing.

I did find some things in:
~/.subversion directory under the `auth' directories, and removed
what I *think* where the certs were saved, but I cannot be certain,
even so, nothing has changed.

So, if the certificate was supposedly saved somewhere, where should
it be located?  I checked the Keyrings, Browser-security - nothing.

Dan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]